Modify bind9 apparmor profile on installation

If the apparmor configuration file is there, an extra include will be added and the install/app/usr.sbin.named-alternc file deployed to the apparmor local configuration directory. This allows bind to work with AlternC and apparmor enabled out of the box on Debian Buster.
2019-12-17 14:27:14 -05:00 · 2019-12-17 14:27:14 -05:00 · 95efdafd3d
parent e3a59dd504
commit 95efdafd3d
3 changed files with 33 additions and 0 deletions
--- a/debian/alternc.postinst
+++ b/debian/alternc.postinst
@ -253,8 +253,29 @@ NFS_QUOTA=no" >> $CONFIGFILE
    chown root:bind /var/lib/alternc/bind/automatic.conf /var/lib/alternc/bind/slaveip.conf
    chmod 640       /var/lib/alternc/bind/automatic.conf /var/lib/alternc/bind/slaveip.conf
    mkdir -p /run/alternc && chown alterncpanel:alterncpanel /run/alternc
+    # Bind Apparmor Override, required by default on >= Buster
+    if [ -f '/etc/apparmor.d/usr.sbin.named' ] ; then
+        if ! grep -q 'usr.sbin.named-alternc' /etc/apparmor.d/usr.sbin.named ; then
+            sed -i 's/\(#include <local\/usr.sbin.named>\)/\1\n  #include <local\/usr.sbin.named-alternc>/' /etc/apparmor.d/usr.sbin.named
+        fi
+        # This section is based on the fragment generated by dh_apparmor:
+        # $> dh_apparmor --profile=usr.sbin.named-alternc -p alternc
+        # Add the local/ include
+        LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.sbin.named-alternc"
+
+        test -e "$LOCAL_APP_PROFILE" || {
+            mkdir -p `dirname "$LOCAL_APP_PROFILE"`
+            install --mode 644 /usr/share/alternc/install/apparmor/usr.sbin.named-alternc "$LOCAL_APP_PROFILE"
+        }
+
+        # Reload the profile, including any abstraction updates
+        if aa-enabled --quiet 2>/dev/null; then
+            apparmor_parser -r -T -W "usr.sbin.named" || true
+        fi
+    fi
    touch /run/alternc/refresh_slave
    /usr/lib/alternc/slave_dns
+
    # Apache will not start without this file
    touch /var/lib/alternc/apache-vhost/vhosts_all.conf

--- a/debian/alternc.postrm
+++ b/debian/alternc.postrm
@ -57,6 +57,16 @@ case "$1" in
    #  rm -rf /var/alternc/mail
    #fi

+    # Remove bind apparmor additions
+    if [ -f '/etc/apparmor.d/usr.sbin.named' ] ; then
+        sed -i '/#include <local\/usr.sbin.named-alternc>/d' /etc/apparmor.d/usr.sbin.named
+    fi
+    rm -f /etc/apparmor.d/local/usr.sbin.named-alternc
+    # Reload the profile, including any abstraction updates
+    if aa-enabled --quiet 2>/dev/null; then
+        apparmor_parser -r -T -W "usr.sbin.named" || true
+    fi
+
    #rm -rf /var/alternc/apacheconf /var/alternc/cgi-bin /var/alternc/bureau /var/alternc/exec.usr /var/alternc/mla /var/alternc/redir /var/alternc/tmp /var/log/alternc
    rm -f /etc/apache*/conf.d/override_php.conf /etc/apache*/conf.d/alternc-ssl.conf /etc/apache*/conf.d/alternc.conf
    rm -f /etc/php*/conf.d/alternc.ini
--- a/install/apparmor/usr.sbin.named-alternc
+++ b/install/apparmor/usr.sbin.named-alternc
@ -0,0 +1,2 @@
+/var/lib/alternc/bind/** rw,
+/var/lib/alternc/bind/ rw,